Ask the Experts: Wired Guest Access
Sharath K.P.
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
Remember to use the rating system to let Sharath know if you have received an adequate response.
Sharath might not be able to answer each question due to the volume expected during this event.
Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
through January 27, 2012. Visit this forum often to view responses to your questions and the questions
of other community members.
Hi Daniel ,
Wonderful observation and great question .
Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios where we have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
Two separate solutions are available to the customers:
A single WLAN controller (VLAN Translation mode) - the access switch trunks the wired guest traffic in the guest VLAN to the WLAN controller that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress wired guest VLAN to the egress VLAN.
Two WLAN controllers (Auto Anchor mode) - the access switch trunks the wired guest traffic to a local WLAN controller (the controller nearest to the access switch). This local WLAN controller anchors the client onto a DMZ Anchor WLAN controller that is configured for wired and wireless guest access. After a successful handoff of the client to the DMZ anchor controller, the DHCP IP address assignment, authentication of the client, etc. are handled in the DMZ WLC. After it completes the authentication, the client is allowed to send/receive traffic.
So as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
We have already opened a bug for the same (Little late though )
BUG ID :CSCtw44999
The WLC Config Guide should clarify our support for redundancy options for wired guest
Symptom:
Do not trunk a wired guest VLAN to multiple foreign controllers. This is not supported, and will
generate unpredictable results.
Some of the other tthat changes we will be making as a part of doc correction would be
http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
1. The WiSM2 needs to be added as a supported controller. (Not sure about the 7500, check with PM)
2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
"Do not trunk a wired guest VLAN to multiple foreign controllers. This is not supported, and will
generate unpredictable results."
3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
Now if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would respond to the client associtation request .
Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
I hope the above explanation could clarify your doubts to certain extent and also keep you
informed on Cisco's roadmap on this feature .
Regards ,
Sharath K.P.
Similar Messages
-
Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about planning, designing, and implementing mobile remote access (Cisco Collaboration Edge Architecture) with Cisco subject matter experts Aashish Jolly and Abhijit Anand.
Cisco Collaboration Edge Architecture is an architecture that provides VPN-less access of Cisco Unified Communications resources to Cisco Jabber® users. This discussion is dedicated to addressing questions about design best practices while implementing mobile remote access.
For more information, refer to the Unified Communications Mobile and Remote Access via Cisco VCS deployment guide.
Aashish Jolly is a network consulting engineer who is currently serving as the Cisco Unified Communications consultant for the ExxonMobil Global account. Earlier at Cisco, he was part of the Cisco Technical Assistance Center (TAC), where he helped Cisco partners with installation, configuring, and troubleshooting Cisco Unified Communications products such as Cisco Unified Communications Manager and Manager Express, Cisco Unity® solutions, Cisco Unified Border Element, voice gateways and gatekeepers, and more. He has been associated with Cisco Unified Communications for more than seven years. He holds a bachelor of technology degree as well as Cisco CCIE® Voice (#18500), CCNP® Voice, and CCNA® certifications and VMware VCP5 and Red Hat RHCE certifications.
Abhijit Singh Anand is a network consulting engineer with the Cisco Advanced Services field delivery team in New Delhi. His current role involves designing, implementing, and optimizing large-scale collaboration solutions for enterprise and defense customers. He has also been an engineer at the Cisco TAC. Having worked on multiple technologies including wireless and LAN switching, he has been associated with Cisco Unified Communications technologies since 2006. He holds a master’s degree in computer applications and multiple certifications, including CCIE Voice (#19590), RHCE, and CWSP and CWNP.
Remember to use the rating system to let Aashish and Abhijit know if you have received an adequate response.
Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation on the Cisco Support Community Collaboration, Voice and Video page, in the Jabber Clients subcommunity, shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hi Marcelo,
Yes, there are some requirements for certificates in Expressway.
Expressway Core (Exp-C)
- Can be signed by either External or Internal CA
- Better to use a cluster name even if you start with 1 peer in Exp-C cluster. In the future, if more peers are added, changes would be minimal.
- Better to use FQDN of cluster as CN of certificate, this way the traversal zone configuration on Expressway-E won't require any change even if new peers are added to Exp-C cluster.
- If CUCM is mixed mode, include security profile names (in FQDN format) as Subject Alternate Names
- The Chat Node Aliases that are configured on the IM and Presence servers. They will be required only for Unified Communications XMPP federation deployments that intend to use both TLS and group chat. (Note that Unified Communications XMPP federation will be supported in a future Expressway release). The Expressway-C automatically includes the chat node aliases in the CSR, providing it has discovered a set of IM&P servers.
- For TLS b/w CUCM, IM-P & Exp-C
+ If using self-signed certificates on CUCM, IM/P. Load Cisco Tomcat, cup, cup-xmpp certificates from IM-P on Exp-C. Load callmanager, Cisco Tomcat certificates from CUCM on Exp-C.
+ If using Internal CA signed certificates on CUCM, IM/P. Load Root CA certificates on Exp-C.
+ Load CA certificate under tomcat-trust, cup-trust, cup-xmpp-trust on IM-P.
+ Load CA certificate under tomcat-trust, callmanager-trust on CUCM.
Expressway Edge (Exp-E)
- Signed by External CA
- Configured Unified Communications domain as Subject Alternate Name
- If using a cluster, select FQDN of this peer as CN and FQDN of Cluster + this peer as Subject Alternate Name.
- If XMPP federation is being deployed, enter the same Chat Node Aliases as entered in Exp-C.
For more details, please refer to the Certificate Creation Guide for Cisco Expressway x8.1.1
http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf
- Aashish -
Welcome to the Cisco® Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about hierarchical network design.
Recommending a network topology is required for meeting a customer's corporate network design needs in their business and technical goals and often consists of many interrelated components. The hierarchical design made this easier like "divide and conquer" the job and develop the design in layers.
Network design experts have developed the hierarchical network design model to help to develop a topology in discrete layers. Each layer can be focused on specific functions, to select the right systems and features for the layer.
A typical hierarchical topology is
A core layer of high-end routers and switches that are optimized for availability and performance.
A distribution layer of routers and switches that implement policies.
An access layer that connects users via lower-end switches and wireless access points.
Ahmad Manzoor is a Senior Pre-Sales Engineer at AGCN, Pakistan. He has more than 10 years of experience in first-rate management, commercial and technical skills in the field of data communication and services lifecycle—from solution design through sales pitch, designing RFPs, architecture, and solution—all with the goal toward winning projects (creating win/win situations) of obsolete solutions. Ahmad also has vast experience in designing end-to-end data centers, from building infrastructure design to data communication and network Infrastructure design. He has worked for several large companies in Pakistan and United Arab Emirates markets; for example, National Engineer, WATEEN Telecom, Emircom, Infotech, Global Solutions, NETS International, Al-Aberah, and AGCN, also known as Getronics, Pakistan.
Remember to use the rating system to let Ahmad know if he has given you an adequate response.
Because of the volume expected during this event, Ahmad might not be able to answer every question. Remember that you can continue the conversation in the Solutions and Architectures under the sub-community Data Center & Virtualization, shortly after the event. This event lasts through August 15, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Dear Leo,
We are discussing the following without any product line, discussing the concept of hierarchical design, which will help you to take decision which model is better for you Two Layer or Three Layer hierarchical model.
Two-Layer Hierarchy
In many networks, you need only two layers to fulfill all of the layer functions—core and aggregation
Only one zone exists within the core, and many zones are in the aggregation layer. Examine each of the layer functions to see where it occurs in a two-layer design:
Traffic forwarding—Ideally, all interzone traffic forwarding occurs in the core. Traffic flows from each zone within the aggregation layer up the hierarchy into the network core and then back down the hierarchy into other aggregation zones.
Aggregation—Aggregation occurs along the core/aggregation layer border, allowing only interzone traffic to pass between the aggregation and core layers. This also provides an edge for traffic engineering services to be deployed along.
Routing policy—Routing policy is deployed along the edge of the core and the aggregation layers, generally as routes are advertised from the aggregation layer into the core.
User attachment—User devices and servers are attached to zones within the aggregation layer. This separation of end devices into the aggregation permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, it is best not to mix transit and destination traffic in the same area of the network.
Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the aggregation layer. You can also place traffic admittance controls at the aggregation points exiting from the aggregation layer into the core of the network, but this is not common.
You can see, then, how dividing the network into layers enables you to make each layer specialized and to hide information between the layers. For instance, the traffic admittance policy implemented along the edge of the aggregation layer is entirely hidden from the network core.
You also use the core/aggregation layer edge to hide information about the topology of routing zones from each other, through summarization. Each zone within the aggregation layer should have minimal routing information, possibly just how to make it to the network core through a default route, and no information about the topology of the network core. At the same time, the zones within the aggregation layer should summarize their reachability information into as few routing advertisements as possible at their edge with the core and hide their topology information from the network core.
Three-Layer Hierarchy
A three-layer hierarchy divides these same responsibilities through zones in three vertical network layers,
Traffic Forwarding—As with a two-layer hierarchy, all interzone traffic within a three- layer hierarchy should flow up the hierarchy, through the layers, and back down the hierarchy.
Aggregation—A three-layer hierarchy has two aggregation points:
At the edge of the access layer going into the distribution layer
At the edge of the distribution layer going into the core
At the edge of the access layer, you aggregate traffic in two places: within each access zone and flowing into the distribution layer. In the same way, you aggregate interzone traffic at the distribution layer and traffic leaving the distribution layer toward the network core. The distribution layer and core are ideal places to deploy traffic engineering within a network.
Routing policy—The routing policy is deployed within the distribution layer in a three- layer design and along the distribution/core edge. You can also deploy routing policies along the access/distribution edge, particularly route and topology summarization, to hide information from other zones that are attached to the same distribution layer zone.
User attachment—User devices and servers are attached to zones within the access layer. This separation of end devices into the access layer permits the separation of traffic between traffic through a link and traffic to a link, or device. Typically, you do not want to mix transit and destination traffic in the same area of the network.
Controlling traffic admittance—Traffic admittance control always occurs where user and server devices are attached to the network, which is in the access layer. You can also place traffic admittance controls at the aggregation points along the aggregation/core edge.
As you can see, the concepts that are applied to two- and three-layer designs are similar, but you have more application points in a three-layer design.
Now the confusion takes place in our minds where do we use Two Layer and where the Three layer hierarchical model.
Now we are discussing that How Many Layers to Use in Network Design?
Which network design is better: two layers or three layers? As with almost all things in network design, it all depends. Examine some of the following factors involved in deciding whether to build a two- or three-layer network:
Network geography—Networks that cover a smaller geographic space, such as a single campus or a small number of interconnected campuses, tend to work well as two-layer designs. Networks spanning large geographic areas, such as a country, continent, or even the entire globe, often work better as three layer designs.
Network topology depth—Networks with a compressed, or flattened, topology tend to work better as two-layer hierarchies. For instance, service provider networks cover large geographic areas, but reducing number of hops through the network is critical in providing the services they sell; therefore, they are often built on a two-layer design. Networks with substantial depth in their topologies, however, tend to work better as three-layer designs.
Network topology design—Highly meshed networks, with many requirements for interzone traffic flows, tend to work better as two-layer designs. Simplifying the hierarchy to two levels tends to focus the design elements into meshier zones. Networks that focus traffic flows on well-placed distributed resources, or centralized resources, such as a network with a large number of remote sites connecting to a number of centralized Data Centers, tend to work better as three-layer designs.
Policy implementation—If policies of a network tend to focus on traffic engineering, two-layer designs tend to work better. Networks that attempt to limit access to resources attached to the network and other types of policies tend to work better as three-layer designs.
Again, however, these are simple rules of thumb. No definitive way exists to decide whether a network should have two or three layers. Likewise, you cannot point to a single factor and say, “Because of this, the network we are working on should have three layers instead of two.”
I hope that this helps you to understand the purposes of Two Layer & Three layer Hierarchical Model.
Best regards,
Ahmad Manzoor -
Ask the Experts Live Chat - Home Hub 4
Hello,
Stephanie and I are pleased to announce our next live discussion with some of our BT experts! It's about one of our latest new products, the Hub 4. This will be a great chance to get our Hub 4 experts onto the community to tell you a bit more about that and answer any questions you may have.
We have added the Chat transcript below for any of you guys who missed this event.
7:02
JacquiBT:
Hello everyone.
Thank for you joining our ‘Ask the Experts’ Live chat. I would like to introduce Dave, Sam and Emma who are our hub 4 experts and will be answering your questions tonight. I would like to invite you to ask your questions now.
7:03
[Comment From imjolly imjolly : ]
why are there no adsl stats available on the HH4
7:04
[Comment From DS DS : ]
evening all. Are the antennae omni directional?
7:05
Sean Donnelly:
Thanks for the question, Emma will respond
to that question Imjolly
7:05
JacquiBT:
Thanks DS, Dave will respond to your question now
7:05
Dave:
Hi DS, yes they are
7:05
[Comment From Steve Steve : ]
Are there any plans for new firmware on the hub 4 to bring new features?
7:06
JacquiBT:
Thanks Steve, Dave is answering that question for you
7:07
Dave:
Hi Steve - yes there are. There will be more information available about this - and any new features - before each firmware drop.
7:07
[Comment From Steve Steve : ]
why can you not opt out of BT WIFI on the home hub 4?
7:07
Dave:
Hi Steve - you should have no problem doing this through the Hub Manager
7:09
JacquiBT:
Some great questions coming through, the experts are typing up responses now
7:09
[Comment From DS DS : ]
Personal testing - Why is the 2.4GHz range less than the HH3 when at a distance from the hub, but better close up than the HH3?
7:10
JacquiBT:
Thanks DS, Dave is answering this now for you
7:10
[Comment From George George : ]
Will the 'Home Network' page show a HH4 instead of the Current image of the HH3?
7:11
JacquiBT:
Thanks George, Sam will answer that for you
7:11
Sam:
Hi George, the HH4 image will be displayed in place of the HH3 in the next firmware release
7:12
Dave:
Thanks again DS - you shouldn't find that, but this can depend on a lot of different factors in the home. I've found mine to be a bit better actually! But it should be pretty much the same for most customers.
7:12
Sean Donnelly:
Did you know the Hub 4 has Smart Setup?
Easy set up in just a few minutes. No CD or computer needed, it's all online and works on any device. Set up your Hub 4 router and access all your free extras like BT Cloud and BT Family Protection in just a few clicks.
7:12
[Comment From DS DS : ]
Is it possible for BT to allow us to move the BTWifi SSID's to another channel, leaving our own SSID on a less congested channel?
7:12
Dave:
Hi imjolly, sorry for the delay, Emma asked me to reply on her behalf. We have made the stats in the Hub manager simpler for customers to understand, we were reacting to feedback that it was too general for the wide range of customers and tech understandings.
7:12
JacquiBT:
Hi DS, Sam is replying to you now
7:14
[Comment From JamesS JamesS : ]
What speeds can I achieve over wifi, assuming I'm connected to 5ghz? Thanks.
7:14
Sean Donnelly:
Did you know the hub offers Easy Wireless?
Connect wirelessly by selecting your BT Home Hub connection on any compatible device and just push a button on the Hub and you're connected. It's that simple. No passwords needed.
7:14
JacquiBT:
Hi JamesS. Dave will reply to your question
7:14
Emma:
Hi imjolly, we have made the stats in the Hub manager simpler for customers to understand, we were reacting to feedback that it was too general for the wide range of customers and tech understandings.
7:15
Sam:
Hi DS, moving BT Wifi SSID's to another channel is not possible on the HH4. However, we are looking closely at the wi-fi SSID's the hub broadcasts to see whether we can improve this experience.
7:15
Dave:
Hi James, 5GHz maximum data transfer rate of 300Mb/s; this will tend to translate as an optimal actual speeds of up to 100 Mb/s - depending on lots of factors in your home
7:15
[Comment From George George : ]
Why did you remove the built in plastic wireless info tab with a card?
7:15
JacquiBT:
Hi George, Dave is going to reply to that question
7:16
Dave:
Hi George - this was part of the design process, we've tried to make it even easier for customers to find their wireless information. Now it's not integrated it's a little bit more accessible.
7:16
[Comment From thebennyboy thebennyboy : ]
I currently have the HH3 and would like to know what noticable difference it will make having a HH4 over a HH3? We use the ethernet ports and the wireless.
7:17
JacquiBT:
Hi Bennyboy. Emma is going to reply to that question.
7:17
[Comment From Paul Paul : ]
How much faster is the processor in the home hub 4, compared to previous versions? how will this effect my online experience?
7:18
JacquiBT:
Hi Paul. Sam will answer that for you
7:18
Sam:
Hi Paul, the processor is a staggering 3x faster compared to the HH3
7:19
[Comment From Guest Guest : ]
Although opted out of BT wifi the hub still shows as being active
7:19
JacquiBT:
Hi Guest, could we ask that you post this on the community so the moderators can pick this up
7:19
Sean Donnelly:
Did you know that the hub 4 offers Dual band frequency which makes for a more reliable wireless connection?
Smart dual-band technology reduces wireless interference and drop out’s giving you a reliable connection for all your devices.
7:20
[Comment From Guest Guest : ]
When you opt out of BT WIFI it appears to only opt out on the 2.4ghz channel and not the 5ghz channel. Are you looking into this?
7:20
JacquiBT:
Hi Guest. Dave will reply to your question
7:21
Dave:
Hi - thanks for this feedback, we'll definitely look in to it for you
7:21
Sean Donnelly:
Excellent questions coming through folks
7:21
Sean Donnelly:
Our experts are typing answers so please keep them coming
7:22
[Comment From Josh Josh : ]
Is it a known issue that the HomeHub 4 has problems identify the Xbox 360 as a media center extender when connected through a wired connection?
7:23
JacquiBT:
Hi Josh. Sam is replying to your question
7:23
[Comment From Winston Winston : ]
How much power does the home hub 4 use?
7:24
JacquiBT:
Hi Winston. Dave will respond to your question
7:24
Sam:
Hi Josh, we are aware of this issue. This is a problem with the Xbox rather than the HH4 but something we are reviewing together.
7:24
Emma:
Hi the bennyboy, the main advantages of the hub 4 are the faster processor (3 x faster) and 5 GHz wifi. There is no interference with 5GHz so you get better performance and as the range isn't as wide you dont have to share the bandwidth with neighbours etc. the hub still has 2.4 GHz so you still have the range you have withhub 3 too!
7:24
Dave:
Hi Winston, I am afraid there's no simple answer as it really depends on what features are in use. But the Hub 4 meets the latest Broadband Equipment Energy Code of Conduct targets for energy consumption.
7:25
[Comment From Mel Mel : ]
Why did you ignore your existing customers loyalty by charging them for a new hub, don't they pay enough already in their monthly fees?
7:25
JacquiBT:
Hi Mel, Dave will reply to your question
7:25
[Comment From Winston Winston : ]
How long did it take you to design and develop the home hub 4?
7:26
JacquiBT:
Hi Winston, Emma will reply to your question
7:27
[Comment From George George : ]
Will we get manual power save back?
7:27
JacquiBT:
Hi Gerorge. Sam will answer your question
7:28
[Comment From Jade Jade : ]
Does the home hub 4 support ip6 through a future upgrade?
7:28
Emma:
Hi Winston, It was about 2 years when we first started the project with the first ideas and concepts
7:29
JacquiBT:
Hi Jade. Emma will reply to your question.
7:29
Emma:
Hi Jade, thats something we are working on so yes something for the future
7:30
Sam:
Hi George. With regards to the manual power save feature, we have looked to make this automatic for all of our customers. However, you are able to change the brightness of the lights as an additional step.
7:30
Dave:
Hi Mel - we've made a lot of changes for our existing customers since the launch of the Hub 3 a couple of years ago. Our customer offer for the Hub 4 only £35 - a really big discount compared to the full price of £109! We've also created a range of recontracting deals that contain a Hub 4 for only the cost of delivery. If you're out of contract or in the last 3 months, you could take advantage of those offers as well. We really want all of our customers to be able to take advantage of these options!
7:31
Sean Donnelly:
Did you know the Hub 4 has a faster processor? Inside the BT Home Hub 4 router is our latest Broadband processor – the brains of your Hub. It allows you to pass information between connected devices quicker than ever. So if you are transferring files from one computer to another or watching a film streamed from another device, the BT Home Hub 4 won't slow you down.
7:31
[Comment From thebennyboy thebennyboy : ]
Our house has very thick stone walls and the wireless is weak in certain rooms. We have a few devices in our house that support 5Ghz Wi-Fi. Does the HH4 also work ok with home plugs that use your power cables to provide network connectivity?
7:32
JacquiBT:
Hi thebennyboy. Sam will respond to your question
7:32
[Comment From Calvin Calvin : ]
What future developments are in the works for home hub 4?
7:33DS wrote:
Not many of my Q's are showing either. Could be busy I guess......
yeah I can tell, I know your quesitons are pretty good but if you notice that JacquiBT is deliberately choosing the questions she wants to go through. The whole chat is based around the fact that they have added 5ghz. I am appauled as I was hoping to at least ask one question. -
ASK THE EXPERTS - WI-FI NETWORKS
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on different aspects of wireless network design and installation with Fred Niehaus. Fred is a Technical Marketing Engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco Aironet and Airespace wireless LAN products. In addition to his participation in major deployments, Niehaus has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Niehaus was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."
Remember to use the rating system to let Fred know if you have received an adequate response.
Fred might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 16, 2010. Visit this forum often to view responses to your questions and the questions of other community members.Hi Expert,
Before all, thank you for your great advice and helps. I've decided to implement a few of them. However, during preliminary test , i run into some issues. Hopefully, you will be able to help one last time.
During my test, I implemented a few SSID wich worked fine in my lab with WEP encryption. And i decided to change the encryption, some of the SSID did work with wpa2. However, two remains my attention, the guess SSID which uses wpa with tkip and one of the test SSID. The guess SSID worked fine untill I decided to reload the AP. When the AP came back it could not grabs an ip, but sho commands shows that it is associate with the AP. See below. I am 100% certain that the config is correct as it was working fine before the reload.
a) Show commands
#sh dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [SAVY_GUESS] :
MAC Address IP address Device Name Parent State
000e.9b6e.XXXX 169.254.97.66 ccx-client - self Assoc
Address : 000e.9b6e.XXX Name : NONE
IP Address : 169.254.97.66 Interface : Dot11Radio 0
Device : ccx-client Software Version : NONE
CCX Version : 2
State : Assoc Parent : self
SSID : SAVY_GUESS
VLAN : 9
Hops to Infra : 1 Association Id : 13
Clients Associated: 0 Repeaters associated: 0
Tunnel Address : 0.0.0.0
Key Mgmt type : WPA PSK Encryption : TKIP
Current Rate : 54.0 Capability : ShortHdr ShortSlot
Supported Rates : 1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates : disabled
Signal Strength : -31 dBm Connected for : 11592 seconds
Signal to Noise : 61 dBm Activity Timeout : 57 seconds
Power-save : Off Last Activity : 3 seconds ago
Apsd DE AC(s) : NONE
Packets Input : 8830 Packets Output : 9
Bytes Input : 435094 Bytes Output : 1154
Duplicates Rcvd : 15 Data Retries : 0
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
Session timeout : 0 seconds
Reauthenticate in : never
b) SSID config
dot11 ssid SAVY_GUESS
vlan 9
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 1240321A241F5B367B29281F6200133524422D325C
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 9 mode ciphers tkip
encryption vlan 16 mode ciphers aes-ccm
ssid SAVY_GUESS
ssid Wireless-Test
interface Dot11Radio0.9
encapsulation dot1Q 164
no ip route-cache
bridge-group 9
bridge-group 9 subscriber-loop-control
bridge-group 164 block-unknown-source
no bridge-group 9 source-learning
no bridge-group 9 unicast-flooding
bridge-group 9 spanning-disabled
interface FastEthernet0.9
encapsulation dot1Q 9
ip helper-address 10.XXX.ZZZ.254
no ip route-cache
bridge-group 255
no bridge-group 255 source-learning
bridge-group 255 spanning-disabled
ps. Wired Device connected on the vlan did grab an IP.
2. Wireless_Test
This SSID was working fine until I change the vlan associate to it.
SSID [Wireless-Test] :
MAC Address IP address Device Name Parent State
001f.3b51.XXXX 169.254.90.253 ccx-client 00C00070 self EAP-Assoc
Address : 001f.3b51.XXXX Name : I00000070
IP Address : 169.254.90.253 Interface : Dot11Radio 0
Device : ccx-client Software Version : NONE
CCX Version : 4
State : EAP-Assoc Parent : self
SSID : Wireless-Test
VLAN : 16
Hops to Infra : 1 Association Id : 12
Clients Associated: 0 Repeaters associated: 0
Tunnel Address : 0.0.0.0
Key Mgmt type : WPAv2 Encryption : AES-CCMP
Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates : disabled
Signal Strength : -43 dBm Connected for : 14298 seconds
Signal to Noise : 52 dBm Activity Timeout : 14 seconds
Power-save : On Last Activity : 6 seconds ago
Apsd DE AC(s) : NONE
Packets Input : 15322 Packets Output : 256
Bytes Input : 913707 Bytes Output : 19866
Duplicates Rcvd : 249 Data Retries : 14
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
Session timeout : 0 seconds
Reauthenticate in : never
b) config
dot11 ssid Wireless-Test
vlan 16
authentication open eap eap_methods2
authentication network-eap eap_methods2
authentication key-management wpa
accounting acct_methods3
mbssid guest-mode
interface Dot11Radio0.16
encapsulation dot1Q 16
no ip route-cache
bridge-group 16
bridge-group 16 subscriber-loop-control
bridge-group 16 block-unknown-source
no bridge-group 16 source-learning
no bridge-group 16 unicast-flooding
bridge-group 16 spanning-disabled
interface FastEthernet0.16
encapsulation dot1Q 16
ip helper-address 10.zzz.xxx.254
no ip route-cache
bridge-group 16
no bridge-group 16 source-learning
bridge-group 16 spanning-disabled
Can the radio interface get mess by the reload? How can I verify theradio? Debug did not show Client asking for IP...
3. My last question, my ACLs to limit guess access. Should i implement them in my firewall or in my distribution router? The distribution router has a sub_interface for each SSID. Would it be better to block traffic right from the distribution router rather let unecessary traffic flow to the network?
Thanks a lot for great advice and guidance,
---Jean Paul. -
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
October 27, 2014 through November 7, 2014.
The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer. He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio. Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
Remember to use the rating system to let Craig know if you have received an adequate response.
Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
(Comments are now closed)1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify.
For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port.
If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy. If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA. Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
Regarding AD multi-domain support...
Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option to have some users authenticated to different AD domains via foreign RADIUS server.
Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE. If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection. If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution. Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
Regards,
Craig -
Ask the Expert: Identity Services Engine - 802.1x, Identity Management and BYOD
Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Identity Service Engine (ISE) with subject matter expert Nicolas Darchis.
Cisco Identity Service Engine is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. It is primarily used to provide secure access and guest access, support BYOD initiatives, and enforce usage policies in conjunction with Cisco TrustSec.
Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, since 2007. He also focuses on filing technical and documentation bugs. Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification (no. 25344).
Remember to use the rating system to let Nicolas know if you have received an adequate response.
Because of the volume expected during this event, our expert might not be able to answer every question. Remember that you can continue the conversation in the Security community under subcommunity AAA, Identity, and NAC shortly after the event. This event lasts through June 20, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hi.
1) It is not "ISE loses the credentials and asks for web portal again". Once a user is authenticated, it is authenticated as long as it stays connected. Possibilities are :
-You are returning a session timeout (attribute radius 27) in the authz profile of the user. Therefore user has to reauthenticate after X seconds. But you would see a pattern, then.
-Over wireless, many clients are not capable of doing fast roaming (smartphones is the biggest example) and will therefore reauthenticate with dot1x everytime they roam. A small coverage hole would be enough for the cached credentials to disappear and web portal to show up again
-Over wired, this cannot really occur but the idea is that it's probably the switch resetting the connection and contacting ISE again. The idea to troubleshoot this is to monitor the access device (WLC/switch) and check if the port goes up/down, if the MAB session gets reset or something and why.
2) The captive bypass issue is that Apple devices will probe apple.com website to check if there is internet connectivity. If they can reach it, then fine, if they sense that they are redirected, they open a small window pop up with the login portal. The problem (and I still cannot understand why) is that this is not Safari, it's some nameless feature-less browser that doesn't work properly.
By enabling the captive bypass feature, the WLC intercepts the requests to the Apple testpage and replies with HTTP OK. The apple device then thinks "ok I have internet connectivity" and it's up to the user to bring up a real browser to login to the portal page.
It therefore does not affect non-Apple device to have the feature enabled.
The problem is that in IOS 7.x, Apple decided to not just use Apple.com anymore but a whole list of testpages on different websites.
3) "whether it would solve the issue if I added certificate authentication as a secondary option, with eap-tls as the primary"
=> This is disturbing because EAP-TLS is a certificate authentication method. But ISE message seems to imply that the user is hitting an authnetication rule that only provides PEAP or EAP-FAST with mschap or something similar ...
If you have the windows default supplicant you have close to no control on what the client will submit. I can imagine that moving from wired to wireless, the laptop would sometimes try to send password instead of certificate and/or vice-versa. Anyconnect with fixed network profiles would solve the problem elegantly.
I cannot comment on your auth policies as I do not know them :-)
Regards,
Nicolas -
Ask the Expert: NGWC (3850/5760): Architecture and Deployment
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about NGWC (3850/5760): Architecture and Deployment.
Ask questions from Monday, April 13th, 2015 to Friday, April 24th, 2015
This Ask the Expert Session will cover questions spanning NGWC products (3850/5760) on Implementation and Deployment from the Wired and Wireless perspective. This will be more specific to Customer’s and Partners questions covering 3850/5760 configuration, Implementation and deployment.
Dhiresh Yadav is a customer support engineer in High-Touch Technical Services (HTTS) handling supporting Wireless and Network Management based Cisco products and is based in Bangalore. His areas of expertise include Cisco Wireless CUWN and NGWC Product line. He has over 7 years of industry experience working with large enterprise and service provider networks. He also holds CCNP (RS) and CCIE (DC-Written) and CCIE Wireless certification.
Naveen Venkateshaiah is working as a Customer support engineer in High-Touch Technical Services (HTTS) handling and supporting Lan-switching and Data center Products. His areas of expertise include Catalyst 3k,4k , 6500 , Nexus 7k Platform He has over 7 years of industry experience working with large Enterprise and Service Provider networks. He also holds CCNA, CCNP (RS) and CCDP-ARCH,CCIE-R&S Written, AWLANFE, LCSAWLAN Certification.
Find other https://supportforums.cisco.com/expert-corner/events.
**Ratings Encourage Participation! **
Please be sure to rate the Answers to QuestionsHi Dhiyadav,
thank you for your reply it cleared some doubts that were in my mind but i need your more support to guide me a converged access deployment which i am going to deploy within few days.
i have
2x5508 in HA as MC
30x3850 switches, and all will be used as MA(s) with multiple SPGs
2X5508 1:1 as an anchor controller
1xISE 1.3 for guest access
1xCPI for wireless mgmt and monitoring purpose
1xMSE3355 with wips and context aware licenses
200x cisco 3702i WAP
50x WSSI module for monitoring the channels
can you please put a light on the design and guide me that which are the best possible solutions to get this job done very smoothly.
i will also let you know about my proposed design scenario but for sure i need your recommendations as well :)
so,
i will use 2x5508 wlcs in HA as a MC which are AP-Count and HA licensed..
3850 switches will be MA and i ll configure SPGs per floor switches stacks
WAPs will join on these 3850 MAs base on each floor
i would have 2 ssid like employee and guest
i will configure them on each 3850 stack MA along with their SVIs for users access like (empolyee and guest ssid)
here my question is for guest ssid and its vlan... do i configure it here or on anchor controller???
i want ISE to be integrated with wireless for employee 802.1x and for guest web Auth. so, how i will integrate ISE with wireless. i mean weather i will integrate it anchor controller or with each 3850 MA???
between foreign and anchor controller i will use new mobility instead of old EOIP!!!
where shall place ISE in my network, in DMZ or with Core switch?
my target for guest users to do not have access to any corporate network sources ?
MSE:
can i use both wips and context aware on the single MSE box?
if yes, than what is the best practice for configuring them?
are each 3850 MA will be added in MSE?
WSSI module . will be used for monitoring purpose for wips and context aware profiles.
all access point will be worked in local mode for serving users access.
thank you -
Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration
With Jacob Ideji, Richard Hamby and Raphael Ohaemenyi
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access . Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio. Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality.
Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
Richard Hamby works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams.
Raphael Ohaemenyi Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.
Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.OOPS !!
I will repost the whole messaqge with the correct external URL's:
In general, the Trustsec design and deployment guides address the specific support for the various features of the 'whole' Cisco TS (and other security) solution frameworks. And then a drill-down (usually the proper links are embedded) to the specifc feature, and then that feature on a given device. TS 2.1 defines the use of ISE or ACS5 as the policy server, and confiugration examples for the platforms will include and refer to them.
TrustSec Home Page
http://www.cisco.com/en/US/netsol/ns1051/index.html
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
I find this page very helpful as a top-level start to what features and capabilities exist per device:
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
The TS 2.1 Design Guides
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
DesignZone has some updated docs as well
http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
As the SGT functionality (at this point) is really more of a router/LAN/client solution, the most detailed information will be in the IOS TS guides like :
http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html -
Ask the Expert: One Management with Prime Infrastructure 1.2
With Tejas Shah
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions from Cisco expert Tejas Shah on One Management with Prime Infrastructure 1.2 Combining the wireless functionality of Cisco Prime Network Control System (NCS) with the wired functionality of Cisco Prime LAN Management Solution (LMS), Cisco Prime Infrastructure simplifies and automates many of the day-to-day tasks associated with maintaining and managing the end-to-end network infrastructure from a single pane of glass. The new converged solution delivers all of the existing wireless capabilities for RF management, user access visibility, reporting, and troubleshooting along with wired lifecycle functions such as discovery, inventory, configuration and image management, automated deployment, compliance reporting, integrated best practices, and reporting.
Tejas Shah is a senior technical marketing engineer for Cisco Prime Infrastructure and Collaboration products. He has deployed Cisco Prime Collaboration Manager at various customer sites to help customers monitor and troubleshoot their video infrastructure. In addition, he is part of the Network Operations Center team at Cisco Live events for six years. Shah joined Cisco in 1995 and was in the Technical Assistance Center team supporting various network management system products for more than six years.
Remember to use the rating system to let Tejas know if you have received an adequate response.
Tejas might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless Mobility sub-community discussion forum shortly after the event. This event lasts through Sept 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.Raun, please see my responses inline:
Can you go over the licensing method with Prime Infrastructure 1.2 please?
Raun, you can check out the following link for ordering guide at
http://www.cisco.com/en/US/products/ps12239/products_data_sheets_list.html
I currently have NCS and do NOT currently have LMS. I know I can move to Prime Infrastructure through Cisco Product Upgrade Tool. However, what I am confused about is do I still have to buy LMS to have LMS functionality in Prime Infrastructure 1.2?
==> Not at all. The converged product will give you basic management capability for routers and switches that LMS provided in this release. Feature/Functionality will keep on growing with upcoming releases.
If not, do the licenses I transfer into Prime Infrastructure 1.2 from NCS also work for devices to work under LMS?
==> Licensing is different than NCS or LMS. You don't have to transfer the license. Each install of Prime Infrastructure will have a unique UID string on which the licenses are based. A new license will be applied to the product.
Mean, can my currently 350 licenses be used for AP's as in NCS and routers in the LMS portion of Prime Infrastructure 1.2?
==> I would recommend getting a total count of your wired and wireless devices and match the right SKU based on that.
Hope this helps.. Let me know if you have any further questions,
Tejas -
Ask the Expert: Single-Site and Multisite FlexPod Infrastructure
With Haseeb Niazi and Chris O'Brien
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single-Site and Multisite FlexPod Infrastructure with experts Haseeb Niazi and Chris O'Brien.
This is a continuation of the live webcast.
FlexPod is a predesigned and prevalidated base data center configuration built on Cisco Unified Computing System, Cisco Nexus data center switches, NetApp FAS storage components, and a number of software infrastructure options supporting a range of IT initiatives. FlexPod is the result of deep technology collaboration between Cisco and NetApp, leading to the creation of an integrated, tested, and validated data center platform that has been thoroughly documented in a best practices design guide. In many cases, the availability of Cisco Validated Design guides has reduced the time to deployment of mission-critical applications by 30 percent.
The FlexPod portfolio includes a number of validated design options that can be deployed in a single site to support both physical and virtual workloads or across metro sites for supporting high availability and disaster avoidance. This session covers various design options available to customers and partners, including the latest MetroCluster FlexPod design to support a VMware Metro Storage Cluster (vMSC) configuration.
Haseeb Niazi is a technical marketing engineer in the Data Center Group specializing in security and data center technologies. His areas of expertise also include VPN and security, the Cisco Nexus product line, and FlexPod. Prior to joining the Data Center Group, he worked as a technical leader in the Solution Development Unit and as a solutions architect in Advanced Services. Haseeb holds a master of science degree in computer engineering from the University of Southern California. He’s CCIE certified (number 7848) and has 14 years of industry experience.
Chris O'Brien is a technical marketing manager with Cisco’s Computing Systems Product Group. He is currently focused on developing infrastructure best practices and solutions that are designed, tested, and documented to facilitate and improve customer deployments. Previously, O'Brien was an application developer and has worked in the IT industry for more than 20 years.
Remember to use the rating system to let Haseeb and Chris know if you have received an adequate response.
Because of the volume expected during this event, Haseeb and Chris might not be able to answer every question. Remember that you can continue the conversation in the Data Center community, subcommunity Unified Computing shortly after the event. This event lasts through September 27, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Webcast related links:
Single-Site and Multisite FlexPod Infrastructure - Slides from live webcast
Single-Site and Multisite FlexPod Infrastructure: FAQ from live webcast
Single-Site and Multisite FlexPod Infrastructure - Video from live webcastI would suggest you read this white paper which details the pros and cons of direct connect storage.
http://www.cisco.com/en/US/partner/prod/collateral/ps10265/ps10276/whitepaper_c11-702584.html This paper captures all the major design points for Ethernet and FC protocols.
I would only add that in FlexPod we are trying to create a highly available solution and "flexible" solution; Nexus switching helps us deliver on both with vPC and unified ports.
NPV equats to end-host mode which allows the system to present all of the servers as N ports to the external fabric. In this mode, the vHBAs are pinned to the egress interfaces of the fabric interconnects. This pinning removes the potential of loops in the SAN fabric. Host based multipathing of the vHBAs account for potential uplink failures. The NPV mode (end-host mode) simplifies the attachment of UCS into the SAN fabric and that is why it is in NPV mode by default.
So for your last question, I will have to put my Product Manager hat on so bear with me. First off there is no drawback to enabling the NPIV feature (none that I am aware of) the Nexus 5000 platform simply offers you a choice to design and support multiple FC initiators (N-Ports) per F-Port via NPIV. This allows for the integration of the FI end-host mode described above. I imagine being a unfied access layer switch, the Nexus team enabled standard Fibre Channel switching capability and features first. The implementatin of NPIV is a customer choice based on their specific access layer requirements.
/Chris -
Ask the Expert: Overview of Cisco Prime Service Catalog and Process Orchestrator Solutions
Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Cisco Prime Service Catalog and Process Orchestrator solutions.
Cisco expert Jason Davis will discuss Cisco’s network management products offered under the Cisco Prime framework. If you have questions about Cisco Prime infrastructure or data center automation with our Cisco Prime Service Catalog and Process Orchestrator solutions, join us on the Cisco Support Community.
Jason Davis is a distinguished services engineer in the Intelligent Infrastructure Practice team of Cisco Advanced Services. His role is to provide strategic and tactical consulting for hundreds of Advanced Services customers, lead service innovation, and assess new services and technologies. Jason's primary expertise areas are in network management systems, intelligent automation, virtualization, data center operations, software-defined networking, and network programmability.
Based out of the Research Triangle Park (RTP) campus, Jason is also responsible for administering the Research Triangle Park Network Management Lab, Cisco's largest network management lab.
Since joining Cisco in 1998, Jason has been a frequent speaker at Cisco's Networkers and CiscoLive conferences in the United States and Europe. In the past five years he has also been involved in the conference network setup and monitoring. He is a much sought-after resource by the field sales teams to assist with presales solutions and executive briefings. He has provided strategic and tactical network management consulting for several hundred customers.
Jason is a subject matter expert with the following products and features:
Cisco Prime LAN management solution
Cisco Prime infrastructure
CiscoSecure ACS
Cisco Prime Network Registrar
Cisco Process Orchestrator
Cisco Prime Service Catalog
Cisco IP SLA
Embedded Event Manager
SNMPv3
onePK and OpenFlow
Cisco UCS
Device instrumentation
VMware ESX, ESXi, and vCenter
ITIL
Jason received his bachelor of science degree in electrical engineering from the University of Miami (FL). He has been married for 20 years and has 4 children. His interests include providing audiovisual technical support for churches and conference venues, camping and biking with his family, remote-control helicopter piloting, paintball, and recreational shooting.
Remember to use the rating system to let Jason know if you have received an adequate response.
Because of the volume expected during this event, Jason might not be able to answer every question. Remember that you can continue the conversation in Data Center > Intelligent Automation under the subcommunity Cisco Prime Service Catalog shortly after the event. This event lasts through September 12, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hello Jason,
Thank you very much for welcoming me to your expert discussion :) I feel to be in the right place, at the right time. Thank you also for answering question beyond your scope here, much appreciated. The information received will help me to go further as such I have submitted a 5 start rating for your first reply.
That sounds promising about the LMS part so yes, I stay tuned and wait patiently.
Ok, now let’s revert to the actual topic discussed here. Cisco Prime Service Catalog and Process Orchestrator solutions I have briefly read up on this on CCO (where elseJ) and picked out the following quote
---- Quote from the Cisco Prime Service Catalog Data Sheet
Today’s end users want self-service and easy access to IT tools and services.
Simultaneously, organizations are seeking ways to extend their cloud management
platforms beyond self-service delivery of virtual machines and infrastructure resources
while increasing their use of cloud-based solutions to enhance business agility and effectiveness.
Cisco Prime™ Service Catalog offers tremendous benefits to organizations that want to unify the ways in
which all types of IT services are ordered and fulfilled, not just infrastructure requests
---- un quote ---
I try to understand what (at high level of course) happens in the back ground when an order is raised and which vendor solution your product can interact with.
As mentioned in the quoted text, this service catalogue goes beyond the standard infrastructure.
Let’s say, a user wants to deploy a new email services, or in your example, extends or create a new web-portal (i.e. for HR to view and manage holiday, staff absence and benefits).
Your solution will need to interact somehow with the 3rd party vendor application that is capable building such portal I believe.
Without disclosing to many information, I assume the portal is linked to backend VM,s that spin up requested resources (and more magic of course). Perhaps I am mixing this up with another cisco product where a user can go on the portal and spin up virtual Firewalls, virtual Routers can be provisioned in now time.
Out if interest; Is this product also known as Mozart? (project code within Cisco?)
I hope query is ok.
Best wishes
Markus -
With Xander Thuijs
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to Cisco ASR 9000 Series Aggregation Services Routers with Cisco expert Xander Thuijs. The Cisco ASR 9000 Series Aggregation Services Routers product family offers a significant added value compared to the prior generations of carrier Ethernet routing offerings. The Cisco ASR 9000 Series is an operationally simple, future-optimized platform using next-generation hardware and software. The ASR 9000 platform family is composed of the Cisco ASR 9010 Router, the Cisco ASR 9006 Router, the Cisco ASR 9922 Router, Cisco ASR 9001 Router and the Cisco ASR 9000v Router.
This is a continuation of the live Webcast.
Xander Thuijs is a principal engineer for the Cisco ASR 9000 Series and Cisco IOS-XR product family at Cisco. He is an expert and advisor in many technology areas, including IP routing, WAN, WAN switching, MPLS, multicast, BNG, ISDN, VoIP, Carrier Ethernet, System Architecture, network design and many others. He has more than 20 years of industry experience in carrier Ethernet, carrier routing, and network access technologies. Xander holds a dual CCIE certification (number 6775) in service provider and voice technologies. He has a master of science degree in electrical engineering from Hogeschool van University in Amsterdam.
Remember to use the rating system to let Xander know if you have received an adequate response.
Xander might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Service Providers community XR OS And Platforms shortly after the event. This event lasts through Friday, May 24, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Webcast related links:
Slides
Webcast Video Recording
FAQIs there a Cisco lab available for ASR 9000
we have "XR4U" stations coming available soon when XR 511 comes alive. The plan is for a downloadable play image like that. In the interim we have 2 demo systems available, and they can be booked via your account manager representative.
How will MOD160 perform with multiple 9000NVS?
very well. the mod 160 has 4 NPU's, 2 per bay. So if you have a 4x10 MPA to serve a satellite, you effectively have a single NPU per 20 1Gigs from the satellite. The pps performance will be stellar. However it might be price technically more ideal to connect satellite with a 36x10. Since the MOD-x has native MPA's with 1G also.
2. Is there a shortcut for a Bundle-EthernetX interface, such as port-channel interface (poX), in Cisco IOS® ?.
usability enhancement is there, we are trying to push this into a new reasonable release. follow CSCuh04526
3. What is the revolutions per minute (RPM) on these hard disk drives (HDDs) compared to the solid state drives (SDDs)? Will the spinning drives be slow?
depends on the type we had avaialble at time of production, you will see different sizes and disks on the RSP2. the rpm of the HD is not so much an issue as much as the buffered writing we used to do in XR. This is fixed up with XR43 where the disk writing performance is much better. the HD/SDD is used for logging storage only (and maybe your pictures) but other then that we're not that concerned with write perf of the HD.
regards
xander -
ASK THE EXPERTS : High Density Wireless Deployments and CleanAir Technology
with
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to get an update on High Density Wireless Deployments and CleanAir technology with Cisco expert Fred Niehaus. Fred is a technical marketing engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco wireless LAN products. In addition to his participation in major deployments, Fred has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Fred was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."
Remember to use the rating system to let Fred know if you have received an adequate response.
Fred might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the shortly after the event. This event lasts through June 3, 2011. Visit this forum often to view responses to your questions and the questions of other community members.You are correct, between the higher numbers of users with multiple devices the bandwidth requirements keep increasing.
The limitation of three non-overlapping channels in the 2.4 GHz space is driving more customers to 5 GHz, it is important to have both bands when high density deployments are needed. While many older devices only support 2.4 GHz, we are now seeing far more devices with 5 GHz as well.
The recomendation of 20-25 clients and 8 voice calls on a given 2.4 GHz channel is still a good "rule of thumb" with actual customer data requirements driving those numbers higher or lower. You are right when you say "throwing Access Points" at the problem can degrade the wireless quality as co-channel interference and overall noise floor can rise with multiple Access Points that can all hear each other.
A better approach to the problem is to throw more spectrum at this issue (using 5 GHz channels) and elements of 802.11n (20 MHz) bandwidth on 2.4 GHz.
What we have been doing in high density deployments is to try to minimize the propagation of a cell and focus it in a given direction. This can be done by
1. Managing the RF power of the radios (Access Points) and in some cases the client's power (using elements of CCX).
2. Using the right antennas to shape both Tx and Rx cell size to help isolate, we have recently introduced a new high gain antenna for stadiums that does this well.
3. Limit supported rates, obviously the higher the data rate the less sensitive the receiver is and the smaller the cell size becomes.
4. Enable 5 GHz (that adds far more channels for data throughput)
5. Limit the number of SSIDs in use as each requires a separate beacon (adding to RF utilization)
6. Co-locating access points with non-overlapping channels
There are some challenges, for example; many dual -band clients prefer to connect to 2.4 GHz, and 2.4 GHz is more likely to be busier and subject to interference, so we also enable Cisco "Band-Select" which basically "nudges" those clients off 2.4 GHz and pushes them to 5 GHz so as to free up the 2.4 GHz band when we can determine the client has 5 GHz capability.
So how is this done? well, we do this by listening to the clients and if we detect that the client is sending out probe requests on both bands we know the client can use 5 GHz so we essentially make the 5 GHz band "appear more attractive" to that client.
Note: Client load balancing and Band select are features in the Cisco Unified controller menu.
Also enabling client link (intelligent beam forming) helps direct the signal directly at the client and reduces same channel interference. -
ASK THE EXPERTS:Branch Office Wireless Strategies
With Jeevan Patil
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to ask how to consolidate your Wireless Branch Network Cisco subject matter expert Jeevan Patil. Mr. Jeevan Patil is a product manager for the Cisco Wireless Controller product portfolio. He has been involved with the wireless industry for over 12 years - since the first days of 802.11 becoming a standard through the evolution to 802.11n. Mr. Patil has been with Cisco for over 12 years. For the first 5 years he was a software engineer working on security, network management and wireless. In the past 7 years he has been the product manager on various initiatives such 802.11n standards, Access Points hardware, Client hardware, CCX, standalone (Autonomous) software, WLSE hardware and software and currently the product line manager on Wireless LAN Controllers.
Remember to use the rating system to let Jeevan know if you have received an adequate response.
Jeevan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Other Wireless – Mobility Subjects discussion forum shortly after the event. This event lasts through August 12, 2011. Visit this forum often to view responses to your questions and the questions of other community members.Hi Nigel,
Please take a look at the "WAN Requirements" section from the following Flex7500 deployment guide:
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
It is highly recommended that the minimum bandwidth restriction remains 128 kbps with the round trip latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments. The maximum transmission unit (MTU) must be at least 500 bytes.
Deployment Type
WAN Bandwidth (Min)
WAN RTT Latency (Max)
Max APs per Branch
Max Clients per Branch
Data
128 kbps
300 ms
5
25
Data + Voice
128 kbps
100 ms
5
25
Data
128 kbps
1 sec
1
1
Monitor
128 kbps
2 sec
5
N/A
Data
1.44 Mbps
300 ms
50
1000
Data + Voice
1.44 Mbps
100 ms
50
1000
Data
1.44 Mbps
1 sec
50
1000
Monitor
1.44 Mbps
2 sec
50
N/A
Best Regards,
Jeevan
Maybe you are looking for
-
Hi All, I am customizing my technical monitoring templates and would like to know : 1. Where we can set the polling frequency for each metrics for triggering alerts through Technical monitoring in Solution Manager 7.1 SP10 ?? 2. Is it like each time
-
Hi..am converting spool output to pdf using the FM 'CONVERT_ABAPSPOOLJOB_2_PDF'. But the resultant output table contains just scrap. My internal output table contains 10 columns and 7 rows. Kindly let me know a solution for this. CALL FUNCTION 'CO
-
Vendor inclusion of purchase org
Hi guru, I have created a vendor without purchse organisation.Now can i add purchase org to it?pls guide how to do it? Thnx in advance vikas
-
Adobe Pro delete pages error. One or more pages are in use and could not be deleted.
Adobe Pro delete pages error. One or more pages are in use and could not be deleted. Hi, can anyone assit. I am compiling a pdf by inserting several documents and am unable to delete specific pages. I have used this function on a previous Adobe Pro v
-
AQ Apply causes the ORA-12805: parallel query server died unexpectedly erro
Hi gurus, Please help me here and than you. How do I solve this ORA-12805: parallel query server died unexpectedly problem? I have posted this on the streams forum but have not got any answer. Sorry to post it here but I am desperate. I followed the